Professional Documents
Culture Documents
Aligning Enterprise Risk Management With Strategy Through The BSC - The Bank of Tokyo - Mitsubishi Approach
Aligning Enterprise Risk Management With Strategy Through The BSC - The Bank of Tokyo - Mitsubishi Approach
12
September–October 2005
Figure 1. The COSO Enterprise Risk Management Cube (shown by the front face of the
COSO ERM cube in Figure 1).
In fact, this mapping is the key
to integrating the two concepts
virtually into one (see Figure 2
on p. 14). Let’s consider each
COSO ERM component and how
it can be linked to the BSC.
Internal Environment. This
refers to top management’s
commitment to risk management.
In the context of the BSC-COSO
linkage, it is about management’s
determination to use the BSC
with the COSO ERM system to
enhance the organization’s safety
and soundness. This is akin to
The COSO cube depicts how four categories of objective—strategic, operations,
reporting, and compliance—overlay the eight components of risk management and the best-practice concept of “Top
internal controls across all units of an enterprise. leadership committed” in Strategy-
Focused Organization Principle #1,
result, regulatory supervision checks and balances can result “Mobilize Change Through
policies in many advanced in disaster. Furthermore, BTM Executive Leadership.”
countries such as the U.S. and recognizes that risk management
Japan are fundamentally based is pointless unless it is closely Objective Setting. COSO
on the COSO framework. tied to the company’s strategic requires setting four categories of
Supranational regulatory bodies objectives. After all, risks include objectives—strategic, operations,
such as the Bank for International all sorts of things—marketplace reporting, and compliance. From
Settlements have also adopted obstacles, legal hazards, inade- the BSC viewpoint, strategic
the concept. Hence, particularly quate or inefficient processes, and objectives are those closely
for large complex global banks, fraudulent activities—that might associated with achieving the
implementing the COSO ERM hinder an entity from achieving mission and vision of the organi-
system within the organization is its objectives. How significant a zation, generally implemented
a de facto requirement for what risk is depends on the relative via high-priority projects. Once
regulators refer to as “safe and importance of the objectives it they are cascaded down to the
sound banking.” could affect. In short, strategy and operational levels, they are trans-
risk management are two sides lated into “operations” objectives.
But the COSO ERM concept had “Reporting” and “compliance”
of the same coin; they must be
never been tied explicitly to objectives fit well with social and
considered in tandem. BTM’s BSC
the BSC methodology. Scorecard regulatory strategic themes and
reflects this notion.
literature typically highlights objectives in the BSC, which
value-creation strategies such as Mapping the COSO ERM generally show up in the internal
growth and efficiency. But value and the BSC and customer perspectives. CSR-
loss prevention—the risk manage- related objectives also fit well in
ment aspect of these strategies— The BSC and the COSO ERM these categories.
is rarely mentioned. Similarly, risk are largely complementary. For
management literature tends to example, the BSC makes strategy The benefit of using the COSO
focus on risk measurement and everyone’s job via cascading. ERM model in concert with the
assessment, seldom discussing the Similarly, the COSO ERM model BSC is that it helps ensure that
importance of how these risks suggests that everyone in an all the strategically important
align to strategic objectives. entity has some responsibility for objectives of these four categories
enterprise risk management. are included in the BSC, while
For BTM, a strategy that lacks Given this commonality—that keeping the organization strategy-
alignment to risk management both strategy and risk manage- focused.
is not only insufficient but down- ment are everyone’s job—the
right dangerous. As the series of Event Identification, Risk
COSO ERM model can be Assessment, Risk Response,
recent corporate failures indicates, mapped to the BSC according
the aggressive execution of a and Control Activities. These
to its eight components of risk four components comprise the
strategy that lacks appropriate management and internal control heart of risk management.4
13
Balanced Scorecard Report
• Event Identification: Identifying Information and Communi- strategy. Therefore, when they are
the internal and external events cation. The COSO ERM model used properly together, manage-
that affect an organization’s requires that relevant information ment enhances the potential for
ability to achieve its objectives. be communicated vertically and achieving the organization’s goals
In the banking industry, risk is horizontally within the organization and objectives. In addition, by
typically classified into three to help people enact their risk using BSC and the COSO ERM
categories: market, credit, and management responsibilities. The model as a “package” rather than
operational. All organizational BSC ensures that strategic infor- separately, the organization
units are responsible for identi- mation is cascaded down from achieves simplicity in governance
fying and managing operational the top down. Also, as indicated while minimizing confusion.
risk, which includes legal and in the third dimension of the Although BTM’s linkage is unique,
regulatory compliance risk. The COSO ERM cube, the information it should be applicable to any
treasury function is responsible flow applies across organizational organization that seeks to align
for market risk. All lending- levels. Additionally, the BSC/ strategy and risk management.
related areas are responsible COSO-based double-feedback
Moreover, just as the BSC has
for credit risk. loop covers not only strategy-
evolved over time, so we expect
related information flows, but also
• Risk Assessment: Developing the BSC–COSO ERM linkage to
those related to risk management.
scenarios and calculating the do so at BTM. For the sake of the
This accelerates organizational
likelihood, consequences, and wider application of this linkage
learning and alignment between
potential costs (tangible and model, we expect, and hope, to
strategy and risk management.
intangible) of each potential see further study of it by strategists
risk event. These scenarios are Monitoring. Monitoring is and risk managers. I
the basis on which the organi- typically conducted by two 1
COSO stands for the Committee of
zation determines how it should parties: management and internal Sponsoring Organizations of the Treadway
manage risks. auditors. Management monitors Commission. It was established by five
performance of the organizational accounting and finance professional
• Risk Response: Having in place associations—the American Accounting
units using the BSC. Internal Association, the American Institute of
a plan to address risks either by
auditors, besides monitoring risk Certified Public Accountants, Financial
avoiding, accepting, reducing, Executives International, the Institute of
management within each organi-
or sharing them. This involves Management Accountants, and the Institute
zational unit, validate whether the of Internal Auditors—to develop standards
aligning risks with the organiza-
entire architecture of the strategy- for internal controls. For more information,
tion’s risk tolerance and risk see http://www.coso.org.
risk linkage is working efficiently
appetite. 2
The COSO Enterprise Risk Management–
and effectively.
Integrated Framework, Executive Summary,
• Control Activities: Establishing September 2004, p. 2.
policies and procedures that A Package Deal for Governance
and Goal Achievement 3
Ibid., p.1.
help an organization efficiently
and effectively carry out risk
4
For a more exact definition of the four
The COSO ERM model expands components, refer to http://www.coso.org.
responses. the use of the BSC to cover the
Reprint #B0509D
An organization is ready to execute management of risks that might
these processes for proactive arise in the course of executing
risk management once the four
types of COSO objectives have Figure 2. BSC–COSO ERM Mapping Chart
been set. To make everyone more
accountable for risk management
performance, an organization
would simply add objectives
requiring these steps in every
unit’s BSC. This is the most
significant benefit BSC brings
to the COSO ERM model. For
example, by setting a bankwide
objective of implementing control
self-assessment in every unit’s
BSC, everyone is required to
go through these steps in the The elements of risk management defined by the COSO ERM model correspond to the three
potential risk areas BTM faces. strategy-related processes defined by the BSC and to the BSC’s feedback properties.
14